search

freebsd / pkg

Package management tool for FreeBSD. Help at #pkg on Libera Chat or pkg@FreeBSD.org
Other
748 stars 279 forks source link

periodic/security/405.pkg-base-audit returns 3 without explanation #2153

Open dlangille opened 1 year ago

dlangille commented 1 year ago

I noticed this started to happen afterthe host was upgraded from FreeBSD 13.1 to FreeBSD 13.2

I have started to debug this, but have not yet found the cause. While I search, I'll create this placeholder issue.

[13:55 r730-01 dvl ~] % pkg info -x pkg
pkg-1.19.1_1

[13:51 r730-01 dvl ~] % sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Fri Jun 23 12:19:35 UTC 2023
0 problem(s) in 0 installed package(s) found.
0 problem(s) in 0 installed package(s) fouD

jail: dns1
Database fetched: Fri Jun 23 12:19:35 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: cliff2
Database fetched: Fri Jun 23 12:19:36 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: mysql01
Database fetched: Fri Jun 23 12:19:36 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: pg01
Database fetched: Fri Jun 23 12:19:37 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: pg02
Database fetched: Fri Jun 23 12:19:37 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: pg03
Database fetched: Fri Jun 23 12:19:38 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: dev-nginx01
Database fetched: Fri Jun 23 12:19:38 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: test-nginx01
Database fetched: Fri Jun 23 12:19:39 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: bacula
Database fetched: Fri Jun 23 12:19:39 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: besser
Database fetched: Fri Jun 23 12:19:40 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: certs-rsync
Database fetched: Fri Jun 23 12:19:40 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: certs
Database fetched: Fri Jun 23 12:19:41 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: git
Database fetched: Fri Jun 23 12:19:41 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: svn
Database fetched: Fri Jun 23 12:19:42 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: webserver
Database fetched: Fri Jun 23 12:19:42 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: dev-pgeu
Database fetched: Fri Jun 23 12:19:43 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: mqtt01
Database fetched: Fri Jun 23 12:19:44 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: bacula-sd-02
Database fetched: Fri Jun 23 12:19:44 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: jail-testing
Database fetched: Fri Jun 23 12:19:45 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: samdrucker
Database fetched: Fri Jun 23 12:19:45 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: nsnotify
Database fetched: Fri Jun 23 12:19:45 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: bacula-sd-03
Database fetched: Fri Jun 23 12:19:46 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: fileserver
Database fetched: Fri Jun 23 12:19:46 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: mydev
Database fetched: Fri Jun 23 12:19:47 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: jail_within_jail
Database fetched: Fri Jun 23 12:19:48 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: serpico
Database fetched: Fri Jun 23 12:19:48 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: dns-hidden-master
Database fetched: Fri Jun 23 12:19:49 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: unifi01
Database fetched: Fri Jun 23 12:19:49 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: stage-nginx01
Database fetched: Fri Jun 23 12:19:50 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: talos
Database fetched: Fri Jun 23 12:19:50 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: pkg01
Database fetched: Fri Jun 23 12:19:51 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: keycloak
Database fetched: Fri Jun 23 12:19:51 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: dev-ingress01
Database fetched: Fri Jun 23 12:19:52 UTC 2023
0 problem(s) in 0 installed package(s) found.

jail: dev-ingress01.freshports
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

jail: test-ingress01
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

jail: test-ingress01.freshports
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

jail: stage-ingress01
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.

jail: stage-ingress01.freshports
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
[13:52 r730-01 dvl ~] % echo  $?
3
dlangille commented 1 year ago

I know the cause.

I have a jail which does not contain the file /var/db/pkg/vuln.xml. This jail also does not have pkg installed.

In my use case, I ignore this jail by adding this entry to /etc/periodic.conf: `security_status_pkgaudit_jails_ignore="dev-ingress01.freshports"

I'm not sure why it silently fails. This is the log produced from the script. This is as far as I got today.

+ echo '-j dev-ingress01.freshports'
+ egrep ^-c
+ [ -n '' ]
+ echo '-j dev-ingress01.freshports'
+ egrep ^-j
+ [ -n '-j dev-ingress01.freshports' ]
+ echo '-j dev-ingress01.freshports'
+ awk '$1 ~ /^-[j]/ { print $2 }'
+ jid=dev-ingress01.freshports
+ jexec dev-ingress01.freshports freebsd-version -u
+ jailv=13.2-RELEASE
+ echo 13.2-RELEASE
+ wc -c
+ strlen='      13'
+ [ 13 -gt 17 -o 13 -lt 11 ]
+ echo 13.2-RELEASE
+ sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,'
+ usrlv=FreeBSD-13.2
+ stat -f %m /jails/dev-ingress01/jails/freshports/var/db/pkg/vuln.xml
+ then=''
+ rc=3
+ date +%s
+ now=1687791274
+ [ 3 -ne 0 -o 172800 -le 1687790674 ]
+ anticongestion
+ [ -n '' ]
+ [ -f '' ]
+ f=-F
+ echo '-j dev-ingress01.freshports'
+ egrep '^-[cj]'
+ sysctl -n security.jail.jailed
+ [ -z '-j dev-ingress01.freshports' -a 0 '=' 0 ]
+ /usr/local/sbin/pkg audit -F FreeBSD-13.2
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
+ return 3
+ last_rc=3
+ [ 3 -gt 1 ]
+ rc=3
+ echo